Information security risk management: a continuous process at the heart of the ISMS

Information security risk management is a structured, continuous, and iterative process within the ISMS. It is not limited to a one-off exercise carried out to satisfy a regulatory requirement, but aims to equip the organization to identify, analyze, address, and manage risks over time, in line with its business, regulatory, and strategic objectives.

Too often reduced to a simple "risk analysis" carried out at the start of a project, risk management is in fact a complete cycle: from establishing the context to monitoring and review, including assessment, treatment, and acceptance.

This overall process thus constitutes the decision-making core of the ISMS: it informs security choices, prioritizes investments, and enables management to steer information security in a controlled and justifiable manner.

Risk management, a structuring process of the SMSI

An end-to-end approach

Risk management is part of a comprehensive approach, from understanding the context to monitoring residual risks. It goes far beyond the initial analysis stage to become an ongoing management mechanism.

This ongoing approach enables the organization to identify not only the risks present at the time of certification, but also those that emerge as the company, its technologies, and its environment evolve.

The decision-making heart of the WSIS

Risk management plays a key role in decision-making for several essential reasons:

• Inform security choices: every investment or prioritization decision must be based on risk assessment. Should supervision be strengthened? Should backup be outsourced? Should teams receive more training? The answers can be found in risk analysis.
• Prioritize investments: when resources are limited, risk management allows for objective decision-making. High risks justify priority action, while low risks can be monitored without immediate action.
• Managing security in a controlled manner: management has a consolidated and well-founded view of risks, facilitating strategic decisions and communication with stakeholders (customers, partners, regulators).

Alignment with business objectives

Risk management can only be effective if it remains aligned with the organization's business, regulatory, and strategic objectives. Risk management that is disconnected from business issues quickly becomes a theoretical exercise with no added value.

Each risk must be linked to a concrete impact: loss of revenue, damage to reputation, regulatory non-compliance, operational disruption. This perspective allows us to speak the language of management and business lines, not just that of technology.

The main stages of the risk management cycle

1. Setting the context

Establishing the context is the foundation of any coherent risk management approach. This step aims to:

• Define the scope of the SMSI: which organizational entities, processes, and information systems are involved? This scope must be explicit and approved by management.
• Identify stakeholders and assets: Who are the key players? What are the essential assets (customer data, intellectual property) and supporting assets (applications, infrastructure) that need to be protected?
• Define assessment scales: how can the impact and likelihood of a risk be measured? What are the risk acceptance thresholds? These scales must be understandable to all stakeholders.

A well-established context ensures that risk analysis is relevant, proportionate, and actionable over time.

2. Risk assessment

Risk assessment is at the heart of the analysis. It is based on several structured activities:

• Identification of threats and vulnerabilities: what are the potential causes of incidents (cyberattacks, human error, breakdowns)? What weaknesses can be exploited (inadequate configurations, non-existent procedures)?
• Construction of risk scenarios: how does a threat exploit a vulnerability in a supporting asset, resulting in an impact on a critical asset? Each scenario must be formulated in a clear and understandable manner.
• Impact and likelihood assessment: what would be the consequences if the scenario were to occur (financial, operational, regulatory, reputational impact)? What is the likelihood of it occurring, given the existing measures?
• Calculating the level of risk: the classic formula is Risk = Impact × Likelihood. The result allows the risk to be classified (low, medium, high, major) and its acceptability to be determined.

3. Risk management

Once the risks have been assessed, treatment decisions must be made for each identified risk. There are four main options:

• Reduction: implement security measures to reduce the likelihood or impact of the risk (access controls, backups, training).
• Acceptance: Accepting the risk as it stands, without additional measures, if its level is deemed acceptable or if the cost of treatment is disproportionate.
• Sharing: partially transferring the risk to a third party (insurance, subcontracting, contractual clauses). Sharing never completely eliminates the risk.
• Avoidance: abandoning the activity that generates the risk when the risk is deemed unacceptable and no realistic measures can reduce it.

Each processing decision must be documented, justified, and validated by the owner of the risk concerned.

4. Acceptance of risks

Risk acceptance is a governance decision that engages the responsibility of the organization.

For each residual risk (risk remaining after treatment), formal acceptance must be made by the risk owner and, for major risks, by management.

This acceptance includes validation of the residual risk level, confirmation of the measures implemented, and explicit justification of the decision. No residual risk above the acceptance threshold can be considered accepted without a formal, documented decision.

5. Monitoring and review

Monitoring and review ensure that risk management remains aligned with the reality of the organization. This step includes:

• Monitoring treatment plans: Are the measures decided upon actually being implemented? Are they effective? Are deadlines being met?
• Periodic risk review: conducted at least once a year, this review aims to verify the relevance of scenarios, reassess impacts and probabilities, and identify new risks.
• Update in the event of a significant change: modification of the scope, security incident, regulatory change, any major change must trigger a targeted reassessment of the risks concerned.

This cycle is continuous: risks evolve with the organization, its environment, its technologies, and its threats. Risk management must therefore be thought of as an ongoing control mechanism.

Link between risk management and the SMSI PDCA cycle

A structuring link

Risk management is closely linked to the PDCA (Plan – Do – Check – Act) cycle of the ISMS, which structures the continuous improvement required by ISO 27001.

Plan: define and analyze

The Plan phase includes:

• Setting the context
• Risk analysis
• Defining security objectives
• Development of the risk treatment plan

It is during this phase that the organization defines its security strategy, based on the risks identified and assessed. Each security objective must be linked to one or more risks to be addressed.

Do: implement

Phase Do corresponds to operational deployment:

• Implementation of security measures
• Implementation of actions resulting from the treatment plan
• Awareness raising and training of teams

The challenge is to transform treatment decisions into concrete, measurable, and traceable actions.

Check: measure and control

The Check phase verifies the effectiveness of the actions taken:

• Monitoring risk indicators
• Internal controls and audits
• Review of the effectiveness of measures
• Reassessment of residual risks

This phase allows us to verify whether the measures implemented are effectively reducing the level of risk as expected, or whether adjustments are necessary.

Act: adjust and improve

The Act phase translates lessons learned into improvement actions:

• Adjustment of security measures
• Risk analysis update
• Improvement or correction decisions
• Management judgments in management review

Thus, risk analysis feeds into the PDCA cycle, and vice versa: the results of controls, incidents, audits, or changes enrich and adjust the risk analysis.

This virtuous cycle ensures continuous improvement in risk management and the maturity of the ISMS.

Risk management in the project phase vs. the maintenance phase

Project phase: building the foundation

Risk analysis during the project phase occurs in particular during the initial implementation of the ISMS, a certification project, or a structural change (new activity, cloud migration, merger).

Key features:

• Often broader and more structured vision
• Comprehensive identification of major assets, processes, and scenarios
• Analysis sometimes more theoretical, with assumptions
• Objective: build a baseline of reference risks and define security priorities

This analysis serves as an initial reference point on which the SMSI will be based. It lays the methodological foundations (scales, thresholds, processes) and identifies the main areas of focus.

Maintenance phase: keeping the system alive

In the maintenance phase, the approach changes radically. The challenge is not to start from scratch, but to implement risk analysis in a proportionate and effective manner.

Key features:

• More focused and pragmatic analysis
• Updating existing scenarios
• Addition or removal of risks based on developments
• Strong connection with incidents, audits, non-compliance, and indicators

In maintenance, risk management becomes reactive and opportunistic: each incident, each change, each audit provides lessons that are used to adjust the analysis.

Risk management in maintenance: risk as a management unit

Change your posture

During the SMSI maintenance phase, it is essential to change your approach compared to the project phase. The challenge is no longer to consider risk analysis as a global exercise, fixed or to be repeated in its entirety, but as a tool for dynamic management of individual risks.

Risk as a management unit

Effective risk management is based on a key principle: risk is the unit of control, not risk analysis as a whole.

In practical terms, each identified risk must be able to be monitored, updated, addressed, or accepted independently of the others, depending on its own evolution. This approach allows:

• Update each risk individually: when a change occurs (new threat, new measure, incident, change in context), only the relevant risk sheet needs to be reviewed. There is no need to redo the entire analysis.
• Targeted adjustment: adjustment of likelihood or impact, reassessment of residual risk, update of the treatment plan if necessary.

Annual review: confirmation, not overhaul

The concept of "annual risk analysis" should not be interpreted as a complete overhaul. The annual review is primarily intended to:

• Verify that the identified risks are still relevant
• Confirm that critical risks are being managed appropriately
• Ensure that acceptance decisions remain valid

This approach promotes greater responsiveness to change, reduces unnecessary workload, and provides clear traceability of security decisions.

Risk analysis as a living record

Risk analysis becomes a living register, comparable to a backlog, where each risk has:

• A status (identified, in progress, accepted, closed)
• A responsible party (risk owner)
• A priority level (low, medium, high, critical)
• Related actions (from the treatment plan)
• An explicit decision (agreed, accepted, in progress)

This approach is fully consistent with the spirit ofISO 27001 and ISO 27005: what matters is not the existence of a fixed document called a "risk analysis," but the organization's demonstrated ability to manage its risks in a continuous, proportionate, and justifiable manner.

It is a key factor in the maturity of the SMSI and a major focus during maintenance audits.

Integrate risk management into overall governance

A decision-making tool

Risk management should not be limited to a one-off deliverable produced for the audit. It must be part of the organization's overall governance.

Risk analysis is a decision-making tool, not just a documentation requirement. In particular, it informs:

• The WSIS Management Review
• Security or IT steering committees
• Security investment decisions
• Priorities of the annual action plan
• The Declaration of Applicability

Update triggers

In addition to the annual periodic review, the risk analysis must be reassessed in the event of:

• Significant evolution of the scope of the WSIS
• Major technological change
• New regulatory or contractual issue
• Significant security incident
• Changes in the organization's strategy or activities

These triggers ensure that the analysis remains aligned with operational and strategic reality.

The key principle of governance

Any security decision must be justified by risk analysis. This principle guarantees:

• The consistency of the WSIS
• Mastering trade-offs
• The credibility of the approach vis-à-vis auditors and stakeholders

When this principle is respected, risk management naturally becomes the common language between management, CISOs, business units, and IT.

Conclusion

Information security risk management goes far beyond the initial "risk analysis." It is a continuous, structured, and iterative process that is closely linked to the ISMS PDCA cycle.

During the project phase, the challenge is to build a solid and consistent reference base. During the maintenance phase, the challenge is to manage risks individually, reactively, and proportionately, based on changes in the organization and its environment.

This approach transforms risk management from a documentary exercise into a genuine permanent control mechanism that serves the organization's business, regulatory, and strategic objectives. It thus constitutes the decision-making core of the ISMS, informing security choices and enabling management to control information security in a controlled and justifiable manner.

Additional resources

• Webinar: "Successful ISO 27001 Risk Analysis: From Theory to Practice"
• Guide to ISO 27001 Risk Analysis

‍

‍